Thread-Modular Model Checking

  • Cormac Flanagan
  • Shaz Qadeer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2648)


We present thread-modular model checking, a novel technique for verifying correctness properties of loosely-coupled multithreaded software systems. Thread-modular model checking verifies each thread separately using an automatically inferred environment assumption that abstracts the possible steps of other threads. Separate verification of each thread yields significant space and time savings. Suppose there are n threads, each with a local store of size L, where the threads communicate via a shared global store of size G. If each thread is finite-state (without a stack), the naive model checking algorithm requires O(G. L n ) space, whereas thread-modular model checking requires only O(n.G.(G + L)) space. If each thread has a stack, the general model checking problem is undecidable, but thread-modular model checking terminates in polynomial time.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    A. Bouajjani, J. Esparza, and T. Touili. A generic approach to the static analysis of concurrent programs with procedures. In POPL 03: Principles of Programming Languages, pages 62–73. ACM Press, 2003.Google Scholar
  2. [2]
    E. M. Clarke and E. A. Emerson. Design and synthesis of synchronization skeletons using branching-time temporal logic. In Workshop on Logic of Programs, Lecture Notes in Computer Science 131, pages 52–71. Springer-Verlag, 1981.CrossRefGoogle Scholar
  3. [3]
    J. M. Cobleigh, D. Giannakopoulou, and C. S. Păsăreanu. Learning assumptions for compositional verification. In TACAS 03: Tools and Algorithms for the Construction and Analysis of Systems, 2003. To appear.Google Scholar
  4. [4]
    C. Flanagan, S. N. Freund, and S. Qadeer. Thread-modular verification for shared-memory programs. In ESOP 02: European Symposium on Programming, Lecture Notes in Computer Science 2305, pages 262–277. Springer-Verlag, 2002.Google Scholar
  5. [5]
    C. Flanagan, S. Qadeer, and S. A. Seshia. A modular checker for multithreaded programs. In CAV 02: Computer Aided Verification, Lecture Notes in Computer Science 2404, pages 180–194. Springer-Verlag, 2002.CrossRefGoogle Scholar
  6. [6]
    D. Giannakopoulou, C. S. Păsăreanu, and H. Barringer. Assumption generation for software component verification. In ASE 02: Automated Software Engineering, pages 3–12. IEEE Computer Society, 2002.Google Scholar
  7. [7]
    J. E. Hopcroft and J. D. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison-Wesley Publishing Company, 1979.Google Scholar
  8. [8]
    C. N. Ip and D. L. Dill. Better verification through symmetry. Formal Methods in System Design, 9(1–2):41–75, 1996.Google Scholar
  9. [9]
    C. B. Jones. Tentative steps toward a development method for interfering programs. ACM Transactions on Programming Languages and Systems, 5(4):596–619, 1983.MATHCrossRefGoogle Scholar
  10. [10]
    J. Queille and J. Sifakis. Specification and verification of concurrent systems in CESAR. In Fifth International Symposium on Programming, Lecture Notes in Computer Science 137, pages 337–351. Springer-Verlag, 1981.Google Scholar
  11. [11]
    G. Ramalingam. Context-sensitive synchronization-sensitive analysis is undecidable. ACM Transactions on Programming Languages and Systems, 22(2):416–430, 2000.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Cormac Flanagan
    • 1
  • Shaz Qadeer
    • 2
  1. 1.Systems Research CenterHP LabsPalo Alto
  2. 2.Microsoft ResearchRedmond

Personalised recommendations